The Hidden Wiper: How VECT Ransomware's Encryption Flaw Destroys Data Beyond Recovery
Introduction
In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace. However, a recent discovery by Check Point Research (CPR) has unveiled a startling twist: the VECT ransomware, initially perceived as a sophisticated encryption tool, is actually a data wiper in disguise. A critical flaw in its encryption design makes full recovery impossible—not just for victims, but even for the attackers themselves. This article dives into the technical findings and background of the VECT group, revealing a story of amateur execution behind a professional facade.
Critical Encryption Flaw: Ransomware by Design, Wiper by Accident
The cornerstone of CPR's analysis is a devastating flaw in VECT's encryption implementation. For any file larger than 131,072 bytes (128 KB), the ransomware discards three out of four decryption nonces. This means that while the encryption process runs, the required keys to reverse it are systematically lost. The result? Files become permanently corrupted, and no one—not even the VECT operators—can recover the original data.
This threshold of 128 KB is alarmingly low. It affects virtually any file containing meaningful data: enterprise assets such as virtual machine disks, databases, documents, and backups. In effect, VECT transforms from a ransomware into a wiper, destroying critical information rather than holding it for ransom. CPR confirmed this flaw exists across all publicly available versions of VECT, spanning Windows, Linux, and ESXi platforms.
Misidentified Cipher: No Authentication, No Integrity
Adding to the confusion, the cipher used by VECT has been widely misreported. Multiple threat intelligence reports and even VECT's own advertisements claimed the malware employed ChaCha20-Poly1305 AEAD, an authenticated encryption scheme. However, CPR's reverse engineering reveals the truth: VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication whatsoever. There is no Poly1305 MAC and no integrity protection. This discrepancy means that files encrypted by VECT lack any mechanism to verify their authenticity, further compounding the recovery challenge.
Advertised Speed Modes: Silent Ignorance
The Linux and ESXi variants of VECT boast command-line flags like --fast, --medium, and --secure, supposedly allowing operators to tune encryption speed. In reality, these flags are parsed and then silently ignored. Every execution applies identical hardcoded thresholds, regardless of the operator's selection. This not only misleads attackers but also suggests a lack of development rigor.
Three Platforms, One Flawed Engine
Despite targeting Windows, Linux, and ESXi, all three variants of VECT share an identical encryption design built on libsodium. The same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw appear across every platform. This confirms a single codebase ported across environments, making the flaw universal and increasing the potential damage scope.
Professional Facade, Amateur Execution
Beyond the nonce flaw, CPR identified a litany of additional bugs and design failures. These include self-cancelling string obfuscation, which inadvertently neutralizes its own protective measures, and permanently unreachable anti-analysis code that never executes. Even the thread scheduler, intended to improve encryption performance, degrades it instead. These issues paint a picture of a group that appears professional on the surface but lacks the internal quality control to deliver a functional product.
Background: The VECT Ransomware Group and Their Partnerships
VECT first appeared in December 2025 on a Russian-language cybercrime forum as a Ransomware-as-a-Service (RaaS) program. After claiming its first two victims in January 2026, the group reemerged in the public eye through a partnership with TeamPCP, a threat actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as Trivy, Checkmarx's KICS, LiteLLM, and Telnyx, affecting a broad downstream consumer base.
Shortly after those attacks made headlines, VECT announced the partnership on BreachForums, aiming to target companies already compromised by TeamPCP's supply-chain campaign. In a separate announcement, VECT also partnered with BreachForums itself, promising that every registered forum user would become an affiliate, gaining access to the ransomware, negotiation platform, and leak site. This unconventional approach aimed to democratize ransomware operations but has now been undercut by the discovery that VECT's tool is fundamentally broken.
Conclusion
The VECT ransomware serves as a cautionary tale: even in the shadowy world of cybercrime, quality matters. The encryption flaw that turns VECT into a wiper, the misidentified cipher, the unimplemented features, and the multiple bugs all point to a group that rushed to market without rigorous testing. For defenders, this means that any victim of VECT should treat their data as irrecoverable and focus on backups and incident response rather than ransom payment. As the VECT group's partnerships continue to evolve, the cybersecurity community must remain vigilant—and aware that not all ransomware is what it appears to be.